From bogorodskiy@inbox.ru  Wed Sep  8 17:56:45 2004
Return-Path: <bogorodskiy@inbox.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DC40D16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 17:56:45 +0000 (GMT)
Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F275C43D62
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 17:56:44 +0000 (GMT)
	(envelope-from bogorodskiy@inbox.ru)
Received: from [194.186.150.106] (port=54118 helo=inbox.ru)
	by mx1.mail.ru with esmtp 
	id 1C56gU-000Ja9-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 08 Sep 2004 21:56:43 +0400
Message-Id: <E1C56gU-000Ja9-00.bogorodskiy-inbox-ru@mx1.mail.ru>
Date: Wed, 08 Sep 2004 21:56:43 +0400
From: Roman Bogorodskiy <bogorodskiy@inbox.ru>
Reply-To: Roman Bogorodskiy <bogorodskiy@inbox.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: portmgr@FreeBSD.org
Subject: [ security ] audio/mpg123: allows code execution with user privilege
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         71499
>Category:       ports
>Synopsis:       [ security ] audio/mpg123: allows code execution with user privilege
>Confidential:   yes
>Severity:       serious
>Priority:       high
>Responsible:    trhodes
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 18:00:42 GMT 2004
>Closed-Date:    Tue Mar 01 03:27:15 GMT 2005
>Last-Modified:  Tue Mar 01 03:27:15 GMT 2005
>Originator:     Roman Bogorodskiy
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Sun Sep 5 16:56:41 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386


>Description:
	http://www.alighieri.org/advisories/advisory-mpg123.txt

	Cite: 
		"A malicious formatted mp3/2 causes mpg123 to fail header 
	checks, this may allow arbitrary code to be executed with the 
	privilege of the user trying to play the mp3. For more informations 
	read and understand the patch."

	Added files: patch-layer2.c

	PS I don't really think somebody runs mpg123 under root, never the less
	it's better to get this bug fixed. 
	
>How-To-Repeat:
>Fix:

diff -ruN mpg123.orig/files/patch-layer2.c mpg123/files/patch-layer2.c
--- mpg123.orig/files/patch-layer2.c	Thu Jan  1 03:00:00 1970
+++ mpg123/files/patch-layer2.c	Wed Sep  8 21:44:53 2004
@@ -0,0 +1,14 @@
+diff -u -r1.1.1.1 layer2.c
+--- layer2.c	1999/02/10 12:13:06	1.1.1.1
++++ layer2.c	2004/09/02 21:43:58
+@@ -265,6 +265,11 @@
+   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+      (fr->mode_ext<<2)+4 : fr->II_sblimit;
+ 
++  if (fr->jsbound > fr->II_sblimit) {
++	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++	  fr->jsbound=fr->II_sblimit;
++  }
++  
+   if(stereo == 1 || single == 3)
+     single = 0;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Fri Sep 10 05:45:55 GMT 2004 
Responsible-Changed-Why:  
Over to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71499 
State-Changed-From-To: open->closed 
State-Changed-By: trhodes 
State-Changed-When: Tue Mar 1 03:26:48 GMT 2005 
State-Changed-Why:  
This should have been closed a long time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71499 
>Unformatted:
